Technology Lab —

Mozilla disables vulnerable Microsoft plugin for Firefox

Mozilla has blocked Microsoft's WPF plugin for Firefox in response to a …

Mozilla has temporarily disabled Microsoft's WPF plugin for Firefox in order to protect users from a security vulnerability that was recently uncovered in the component. The vulnerability can be exploited when users visit malicious Web pages that contain specially crafted XAML content.

Microsoft issued an Internet Explorer patch to fix the vulnerability through its Windows Update mechanism on Tuesday. The IE patch is said to fully resolve the vulnerability for Firefox users in addition to users of Microsoft's own browser. Mozilla is concerned, however, that not all users have performed the Windows update yet. In order to protect users who are not yet patched, Mozilla has added Microsoft's plugin to its add-on blocklist, causing it to be automatically disabled by the browser.

Mike Shaver, Mozilla's vice president of engineering, described the security problem in a blog entry posted Friday in the official Mozilla security blog. He explains that Mozilla decided to block the plugin when Microsoft suggested that users should consider turning it off until the efficacy of the fix has been fully confirmed. The related .NET Framework Assistant add-on was initially blocked too, but Mozilla removed it from the blocklist when Microsoft later confirmed that it was not vulnerable.

"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," he wrote. "Microsoft agreed with the plan, and we put the blocklist entry live immediately."

The plugin generated controversy earlier this year because Microsoft surreptitiously injected it into Firefox via a Windows Update, without prompting or notifying users. In response to criticism from Firefox users and concerns expressed by Mozilla itself, Microsoft released a tool in June that users could run to uninstall the plugin.

Adding the plugin to a blocklist seems reasonable in light of the risk that this security vulnerability poses to users, but it's a very blunt weapon. Microsoft apparently doesn't properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version. This means that the block will affect users who have already updated to a safe version of the plugin.

One of our readers submitted a report in Mozilla's bug tracking system requesting that the plugin be restored for users who are fully patched, but there's currently no way to accomplish this. Mozilla has implemented a feature in Firefox that will allow users to manually override the block for individual plugins, but it's unclear when this feature will be deployed. Although it's likely that it will go out soon in a Firefox update, users may have to wait for its arrival (or dive into about:config and disable the entire blocklist mechanism) if they want to use the WPF plugin.

Plugin security vulnerabilities are a major problem for browser vendors. These bugs are especially tempting as exploit targets because they often affect multiple browsers and provide a bigger audience of potential victims. In response to the serious security vulnerabilities that have been found in Adobe Flash and other popular plugins, Mozilla launched a new plugin check service earlier this month that will help users determine when they need to update. The recent problems with Microsoft's plugin demonstrate the importance of this sort of vigilance.

38 Reader Comments

I just found out about this yesterday when I looked in my addon's and noticed that the plugin was disabled "for my own protection". I was wondering why Firefox was going all Orson Welles on me until I read about the "security vulnerability". Microsoft and their crappy software...

I went ahead and manually uninstalled it via a somewhat lengthy procedure. Why MS could not just enable it to be removed (they grayed out the uninstall option) is beyond me. Sorry MS, but I am not going back to IE# for any amount of moola or persuasive efforts on your part.

Microsoft is really going on my nerves with their recent approaches to "protect" the user.

It is stupid enough to add a plugin to third-party software without asking but to then disable the ability to remove it is beyond stupidity.

Its bad enough that they hide or try to prohibit users from seeing or changing many folders in the system even so common ones as the User data. (As if their stupid naming conventions (spaces in all default folders ????) were not idiotic enough)

Nice to see Firefox acknowledge that Enterprise customers don't want the Foundation to control their browsers remotely without admin intervention. The sooner they take care of this, the sooner they'll get taken seriously in the Enterprise space. If you want to know why FF and Chrome have gotten so little penetration in that area compared to IE, central admin function is the answer. Fault Microsoft for many things, but not giving admins control over their environment isn't one of them.

Microsoft apparently doesn't properly maintain version numbers in the plugin, so Mozilla has no way to selectively target the block to the insecure version.

The plug-in didn't contain the vulnerability and wasn't updated in the patch -- hence no version number increment. The vulnerability was in a system library. Firefox doesn't include a mechanism to correctly determine whether a system is vulnerable (determine library number). The end result of FF's action will be that many some systems will have the the blocklist mechanism (permanently) disabled due to Mozilla's over-zealous blocking on unaffected systems, which defeats its purpose.

Originally posted by JPan:Microsoft is really going on my nerves with their recent approaches to "protect" the user.

It is stupid enough to add a plugin to third-party software without asking but to then disable the ability to remove it is beyond stupidity.

Its bad enough that they hide or try to prohibit users from seeing or changing many folders in the system even so common ones as the User data. (As if their stupid naming conventions (spaces in all default folders ????) were not idiotic enough)

God forbid they try to shore up the stability of their O/S by limiting the damage your average idiot PC user can do mucking around in system files. I understand from your (our) point of view about it being a little bit annoying, but if you want to spend all your time fiddling with the O/S then run Linux. At least you can still easily get to and modify O/S settings in Windows, which is better than I can say for Apple.

I am taking a moment to post here because a lot of you are frothing at the mouth about Microsoft disabling your plugin when it was the Mozilla Foundation folks who disabled the plugin. They are the ones who went Orwell on you. But don't let the facts get in the way of a good anti-microsoft thread. Anybody who disables crap on my computer without my permisssion gets a gigantic F-U from me. And it wasn't even a vulnerability in the plug-in. This whole incident was just Mozilla thumbing its nose at Microsoft.

Originally posted by dragula53:I am taking a moment to post here because a lot of you are frothing at the mouth about Microsoft disabling your plugin when it was the Mozilla Foundation folks who disabled the plugin.

Originally posted by dragula53:I am taking a moment to post here because a lot of you are frothing at the mouth about Microsoft disabling your plugin when it was the Mozilla Foundation folks who disabled the plugin. They are the ones who went Orwell on you. But don't let the facts get in the way of a good anti-microsoft thread. Anybody who disables crap on my computer without my permisssion gets a gigantic F-U from me. And it wasn't even a vulnerability in the plug-in. This whole incident was just Mozilla thumbing its nose at Microsoft.

Exactly where did you see "a lot of" posts getting the wrong idea about exactly who it was that disabled the plugin? So far, I can't see a single one.

quote:

From the article:Microsoft surreptitiously injected it into Firefox via a Windows Update, without prompting or notifying users.

So, disabling stuff on your PC without your permission is objectionable, but putting it there in the first place without your knowledge or consent is just fine?

Lastly, sure, the vulnerability wasn't in the plugin itself; regardless of that, the presence of the plugin exposes the user's system to the vulnerability.

Originally posted by dragula53:This whole incident was just Mozilla thumbing its nose at Microsoft.

From the article:

quote:

"Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism," he wrote. "Microsoft agreed with the plan, and we put the blocklist entry live immediately."

It seems the straightforward solution to the "Firefox can't tell if it's vulnerable" issue is for Microsoft to re-release the plugin in a newer version that explicitly requires the updated DLL, and push that out via MS Update. They should be able to fast-track QA, given that it will be the same code they've already put out.

As others have mentioned, I also disabled this earlier this year due to reports of potential vulnerabilities.

It does nothing to endear MS to me that they push out something to a non-MS browser.

Note to MS: I switched to another browser for a number of reasons, including better security (at the time I switched). I like that browser and don't need you mucking up my "web experience". In fact, I've adapted pretty well to using multiple browsers, if needed. Much like using Excel instead of Word for creating a spreadsheet, I'll use a different browser if the preferred browser doesn't render properly. It's called choosing the right program for the right job. Not "let's jam our version of the web experience down everyone's throat". OK? Thanks.

I'm so damn thankful Mozilla took this action, as trying to remove the add-ons was just a pain in the ass to do. Install another piece of software to uninstall another?

To this day, I still have no clue why these add-ons were included, and more importantly, why Firefox. I chose this browser because IE's inability to effectively block ActiveX was crap, and now I've got to risk an unrelated file to do the same to my *safe* browser?

I certainly hope Mozilla keeps all Microsoft related add-ons blacklisted (sadly, one was restored) given their history of being security vulnerabilities. What's next, Silverlight?

Now, if only Mozilla would block the Norton (we can't disable) add-on as well.

It's getting to the point owning a computer isn't true, and that we're leasing a system that gives everyone the ability to hijack *our* computer setup without consent.

If the Mozilla plugin blocklist annoys you, just turn it off: Open a page to about:config, filter "blocklist" & set "extensions.blocklist.enable" to false.

This is a good solution for those that have need the .net plugin and have patched their systems but are blocked by the blocklist. Personally, I nuked the .net plugin in FF as:- I didn't ask for it- The stealth installation gave me the creeps- I can always use IE if I should ever need it

Microsoft is the underlying platform vendor so it's possible that there is some reason for rolling these plugins out without asking permission, though frankly, I can't imagine what that reason could be.

If they rolled it out for no other reason than to make sure that Microsoft-based proprietary web applications work in Mozilla, then I find that pretty inappropriate. Even a recommended install would be acceptable, but not a forced stealth install.

Originally posted by JPan:Microsoft is really going on my nerves with their recent approaches to "protect" the user.

It is stupid enough to add a plugin to third-party software without asking but to then disable the ability to remove it is beyond stupidity.

Its bad enough that they hide or try to prohibit users from seeing or changing many folders in the system even so common ones as the User data. (As if their stupid naming conventions (spaces in all default folders ????) were not idiotic enough)

God forbid they try to shore up the stability of their O/S by limiting the damage your average idiot PC user can do mucking around in system files. I understand from your (our) point of view about it being a little bit annoying, but if you want to spend all your time fiddling with the O/S then run Linux. At least you can still easily get to and modify O/S settings in Windows, which is better than I can say for Apple.

So first Microsoft hacks another application via a non-optional, undisclosed Firefox plugin. Then, said hack has a serious, unfixed, and known security problem. I'd be livid if I were Mozilla right now. I'm not a Microsoft-hater by any means, but that's a little ridiculous.

I don't even know what Windows Presentation Foundation is, or why it's there, why I would want it, or why it would take a plugin to work in the first place. I didn't install it on purpose, so the fact that it gets uninstalled as easily as it was installed . . well, heck, I guess it evens itself out.

First off, WHY did MS install a FF plugin which cannot be disabled/uninstalled by normal means? And why does FF ALLOW plugins to have this functionality?

But onto the core issue.. why is Mozilla disabling the plugin AFTER THE FLAW HAS ALREADY BEEN PATCHED BY MICROSOFT??!

The proper way Mozilla should have went about this if they were concerned with users who have not patched their systems (and on that note - MS calling it an IE update was a BAD IDEA as well, since it doesn't only affect IE..) would be as follows:1) If system has been patched (check .dll versions or something which would indicate patch installed..), LEAVE IT ALONE.2) If not, pop up a message saying there is a vulnerability, and suggest it is a VERY GOOD IDEA to either:a) Allow FF to disable the extension, but if not..b) STRONGLY RECOMMEND the user apply the security update.

And if this is not possible in the current version of FF, push out an update (installed only with consent/auto updates enabled..) WITH FUNCTIONALITY TO ALLOW THIS.

I think it is DOWNRIGHT SCARY - on par with the Amazon Kindle 1984 debacle - that Mozilla has the ability to disable plugins on MY COMPUTER without my knowledge or consent.

Originally posted by d_jedi:But onto the core issue.. why is Mozilla disabling the plugin AFTER THE FLAW HAS ALREADY BEEN PATCHED BY MICROSOFT??!

from the article: "Mozilla is concerned, however, that not all users have performed the Windows update yet. In order to protect users who are not yet patched, Mozilla has added Microsoft's plugin to its add-on blocklist, causing it to be automatically disabled by the browser."Duh! RTFA!!!!!!

Originally posted by d_jedi:But onto the core issue.. why is Mozilla disabling the plugin AFTER THE FLAW HAS ALREADY BEEN PATCHED BY MICROSOFT??!

from the article: "Mozilla is concerned, however, that not all users have performed the Windows update yet. In order to protect users who are not yet patched, Mozilla has added Microsoft's plugin to its add-on blocklist, causing it to be automatically disabled by the browser."Duh! RTFA!!!!!!

Duh! RTROMP (Read the rest of my post)!!!!!!!!!!!!

Disabling the plugin for users who have already patched their systems does not protect them in any way. In fact, I'd call it malicious behaviour.

Good. Keep it on that list permanently. Microsoft had no right to unknowingly install that useless extension anyway. I already disabled it as soon as I found out about it, and I wasn't at all happy when I discovered it. I think Mozilla should forbid 3rd parties from installing such extensions, especailly when they can only be manually disabled by changing a setting in the registry.